A little chat about penetration testing

Like ethical hacking, penetration testing – or pen testing to use its more popular name – is a way of assessing the security credentials of a network and/or system. Not to be confused with testing whether your dried up bic biro still works, it “tests” a system’s ability to keep information and data secure by identifying weaknesses that can be exploited. Therefore, what does work is commendable, but it doesn’t figure in this strategy. Recognising what doesn’t work is the goal of pen testing.

It can be argued then that professionals with a penetration testing job adopt the purported persona of cyber criminals and hackers. To beat ’em is to join ’em, so to speak: “If I was a hacker, what would I be looking to do to infiltrate or compromise a network?”

Pen testing is a proactive strategy rather than a reactive one, its philosophy being that preventing attacks is better than cleaning up “the mess”. And many organisations swear by it. If you can spot what your system is lacking in terms of data protection before a criminal does, well, you put yourself in the enviable position of being one step ahead of the game.

However, for all its merits and popularity, there are questions within the industry as to whether the high-tech evaluative method is running out of steam, and entering into the murky world of bubbles. Is it, argue some professionals, reaching the zenith of its powers?

Arguments about the limits of pen testing would be of that conclusion. Limit is the buzzword. For example, a pen tester is restricted in the amount of access they have to assess, geographically speaking. While an internal test can be carried out, it can’t, for example, evaluate the vulnerabilities of outside interference. Equally, local access wire points are negligible when testing via the internet. Limits, limits and limits.

In an engaging LinkedIn discussion two years ago, H Wayne Anderson, managing member of General Business Consulting, LLC, commented: “You might develop a false sense of security from addressing the wrong vulnerabilities, since an angry, incompetent or malicious insider often poses a greater risk to your data than outsiders do.”

That said, he did concede that proper penetration testing can identify such practices, so long as it is not the “starting place” for boosting the security of any given system.

“The basics must already be in place,” he wrote. “You should have a proper, tested backup regimen, patches tested and installed up to date, properly-sanitized SQL inputs, properly configured firewalls, network monitoring, and other preventative measures in place long before you start pen testing.”

However, in an intriguing and recent article from John Yeo, director of Trustwave SpiderLabs EMEA, he revealed is optimistic about the future of pen testing, its relevance to companies big and small and, accordingly, its strength.

He points out, cannily, that penetration testing and vulnerability scanning’s relationship is often confused, therefore, one assumes, criticism of pen testing might be misleading.

“Vulnerability scanners are great at identifying ‘low-hanging’ vulnerabilities, like common configuration mistakes or unpatched systems, which offer an easy target for attackers,” Mr Yeo wrote in SC Magazine.

“What they are unable to determine is the context or nature of the asset or data at risk, but they are also less able than humans to identify unknown unknowns.”

In contrast, pen testers are much more capable of doing this. Mr Yeo elucidates that he has experience of visiting a network that has undergone an automated scan for vulnerability and still, after human pen testing has occurred, vulnerabilities have been discovered.

“By incorporating pen testing activities as part of a wider information security strategy, organisations can validate the robustness of their security controls and identify as-yet unknown risks to their business,” he concludes. “The results of a penetration test and guidance provided help organisations to better protect sensitive data from falling into the wrong hands.”